Pidgin < 2.10.8 Multiple Vulnerabilities

Critical Nessus Plugin ID 72282


An instant messaging client installed on the remote Windows host is affected by multiple vulnerabilities.


The version of Pidgin installed on the remote host is a version prior to 2.10.8. It is, therefore, potentially affected by the following vulnerabilities :

- The bundled version of Pango has an error that can lead to an application crash when rendering fonts and attempting to display certain Unicode characters.

- Errors exist related to handling unspecified characters, incorrect character encoding, incorrect XMPP timestamps, hovering a pointer over a long URL, unspecified HTTP responses, Yahoo! P2P messages, STUN responses, and IRC arguments that could cause application crashes and denial of service conditions.
(CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6484, CVE-2014-0020)

- Errors exist related to handling MSN SOAP, MSN OIM, and MSN header content that could cause application crashes when NULL pointers are dereferenced.

- An error exists related XMPP content such that the 'from' portion of some 'iq' replies is not verified.

- Errors exist related to parsing chunked and Gadu-Gadu HTTP content, MXit emoticons, and SIMPLE headers that could allow buffer overflows.
(CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490)

- The application does not protect against links to untrusted executable content. (CVE-2013-6486)


Upgrade to Pidgin 2.10.8 or later.

See Also

Plugin Details

Severity: Critical

ID: 72282

File Name: pidgin_2_10_8.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 2014/02/04

Updated: 2019/11/26

Dependencies: 34205

Risk Information

Risk Factor: Critical

CVSS Score Source: CVE-2013-6490

CVSS v2.0

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:pidgin:pidgin

Required KB Items: SMB/Pidgin/Version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/01/28

Vulnerability Publication Date: 2014/01/28

Reference Information

CVE: CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484, CVE-2013-6485, CVE-2013-6486, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490, CVE-2014-0020

BID: 65188, 65189, 65192, 65195, 65243, 65492